Skip to main contentChat with us

ISO 22301:2019 · Regulator Mapping

ISO 22301 Regulatory Mapping:
One BCMS, Four Regulators

CBUAE-supervised banks in the UAE, SAMA in Saudi Arabia, APRA’s CPS 230 in Australia, and the EU’s DORA all reach the same desks: the vendors financial institutions depend on. Each speaks its own vocabulary, but each asks for the same artefacts a BCMS produces. This guide maps ISO 22301:2019 element by element to all four — so you build the evidence once and answer every assessor with it.

Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East — the region where this mapping is tested against real vendor assessments.

Get a BCM Scoping CallExplore the ISO 22301 Hub
500+audits across India, USA, UK, Australia & UAE
250+SOC 2 attestations to date
4regimes mapped — CBUAE · SAMA · CPS 230 · DORA

ISO/IEC 22301:2019 · CBUAE · SAMA · CPS 230 · DORA · Last reviewed June 2026

Direct Answer

Why One BCMS Can Answer Four Regulators

The four regimes were written for different markets, but they supervise the same fear: a financial institution losing a critical service because a supplier could not stay up. So each one, in its own language, pushes the same questions down the supply chain — what would disruption cost, how fast can you recover, where is the tested plan, who else do you depend on, and who governs all of it?

Those are, clause for clause, the questions ISO 22301:2019 answers: the BIA (8.2), the recovery targets (8.2), the plans (8.4), the exercise programme (8.5), supplier continuity (8.1), and leadership plus management review (Clauses 5 and 9.3). Build the artefacts once, to the strictest reading among your contracts, and the remaining work per regulator is translation — not a new programme. That translation is exactly what the table below performs, and what our operational resilience team delivers as part of every Gulf and Australia-facing engagement.

Proven in the Middle East

Our consultants have prepared ADIB (Abu Dhabi Islamic Bank), Mashreq Bank, and AMEX for ISO 22301 in the Middle East.
This mapping is not theoretical — it is the working translation used inside vendor assessments for the region’s most demanding financial institutions.

The Mapping

Six ISO 22301 Elements, Four Vocabularies

Read each row left to right: the artefact you build once under ISO 22301, then what it means to a UAE bank’s assessor, a SAMA-regulated customer, an APRA-regulated entity, and an EU financial entity under DORA.

ISO 22301 elementCBUAE (UAE banks)SAMA (Saudi Arabia)APRA CPS 230 (Australia)EU DORA
BIA & prioritised activitiesClause 8.2The first artefact a UAE bank’s outsourcing assessment requests from a critical vendor — impact analysis behind your continuity claimsA BIA is an explicit building block of the SAMA BCM framework, which is constructed on ISO 22301Regulated entities must identify critical operations and the providers they depend on — your BIA supplies your side of that pictureFinancial entities map ICT services supporting critical or important functions; providers evidence the dependency analysis beneath them
RTO / RPO / MTPD targetsClause 8.2Recovery objectives evidenced to the bank’s vendor-risk team, with the analysis that produced themRecovery objectives set, documented, and tested under the framework’s planning requirementsTolerance levels for disruptions to critical operations — supplier recovery targets must support the entity staying within toleranceRecovery time and recovery point objectives form part of the ICT risk-management framework your contracts reference
Continuity plans & proceduresClause 8.4A current, organisation-specific BCP is expected from critical suppliers — template plans fail assessmentISO 22301-based business continuity plans are mandated for member organisations, with expectations flowing to their suppliersCredible plans to keep critical operations within tolerance through disruption, including provider dependenciesAn ICT business continuity policy with documented response and recovery plans for ICT services
Exercising & testingClause 8.5Exercise results requested at due diligence and contract renewal — a plan without test evidence reads as untestedDR and BCP testing expected at least annually, with results documentedSystematic testing of continuity arrangements — explicitly including material service providers in scenariosA digital operational resilience testing programme, proportionate to the services provided
Supplier & third-party continuityClause 8.1Outsourcing standards push continuity obligations down the chain — your own critical providers need arrangements tooThe framework’s scope extends to subcontractors and third parties of member organisationsMaterial service provider management — pre-existing contracts comply by the earlier of next renewal or 1 July 2026Mandatory resilience provisions in ICT contracts and a register of information covering every arrangement
Management review & governanceClauses 5 & 9.3Assessors ask who owns the vendor’s continuity programme and when management last reviewed itBCM accountability sits at senior level in member organisations — vendor governance is read against the same expectationThe regulated entity’s board is accountable for operational risk, so vendor programmes need named ownership and review recordsThe management body holds ultimate responsibility for ICT risk — provider governance evidence supports that accountability

A working summary for vendors, not legal advice — each regime legally binds your regulated customers, who interpret their obligations with their own advisers. Your part is the evidence; that is the part TCSA builds.

Regulator by Regulator

What Each Regime Means for You as a Vendor

The same BCMS, read through four supervisory lenses — and the specific asks each one lands on your desk.

United Arab Emirates

CBUAE — the UAE bank vendor mandate

The Central Bank of the UAE’s business-continuity and outsourcing rules require banks to ensure their critical vendors maintain robust continuity arrangements. UAE banks operationalised that duty the direct way: ISO 22301-aligned — and increasingly certified — BCMS requirements written into supplier contracts, with the first deadline wave landing in December 2025.

For a vendor, the consequence is binary: credible BCMS evidence keeps you on the approved-supplier list; its absence fails the assessment. The artefacts requested track ISO 22301’s Clause 8 almost exactly — BIA, recovery targets, plans, and exercise reports — which is why an ISO 22301 build is the efficient answer rather than a parallel compliance exercise.

What lands on your desk

  • Evidence of a continuity programme proportionate to the service you run for the bank
  • Your BIA and the recovery objectives for the services the bank consumes
  • A current, organisation-specific business continuity plan
  • Recent exercise results — and increasingly an accredited ISO 22301 certificate

TCSA in the Middle East

Saudi Arabia

SAMA — the Business Continuity Management Framework

The Saudi Central Bank’s BCM Framework is mandatory for member organisations — banks, finance companies, insurers, and payment providers — and is built directly on ISO 22301: BIA, recovery objectives, documented plans, and testing at least annually for DR and BCP. Its scope explicitly extends to subcontractors and third parties, and disruptive incidents are reported to SAMA.

That extension is what reaches you: suppliers to SAMA-regulated entities are asked in due diligence to evidence an equivalent, tested BCMS. Because the framework and ISO 22301 share a skeleton, a certified or audit-ready ISO 22301 system answers the SAMA-derived questionnaire in the regulator’s own vocabulary.

What lands on your desk

  • A BCMS equivalent to what SAMA requires of the regulated entity itself
  • BIA, recovery objectives, and continuity plans mapped to the services you provide
  • Evidence of DR and BCP testing on at least an annual cadence
  • Continuity arrangements for your own subcontractors supporting the service

SAMA compliance guide

Australia

APRA CPS 230 — supplier contracts by 1 July 2026

APRA’s Prudential Standard CPS 230 on operational risk management has been in force since 1 July 2025. It makes Australian banks, insurers, and superannuation trustees accountable for keeping critical operations within defined tolerance levels through disruption — and for managing the risks of the material service providers those operations depend on, including continuity testing that covers them.

The contract mechanics set the calendar: pre-existing provider contracts must comply by the earlier of their next renewal or 1 July 2026. Continuity clauses, tolerance commitments, and exercise-participation obligations are therefore entering supplier paperwork now — and an ISO 22301 BCMS is the cleanest way to evidence your side before the clause arrives.

What lands on your desk

  • Recovery targets that support the entity’s tolerance levels for its critical operations
  • Documented continuity plans for the service you provide as a material service provider
  • Participation in the entity’s continuity exercises — with your own test evidence ready
  • Contractual continuity commitments your BCMS can actually honour

Operational resilience services

European Union

EU DORA — ICT third-party risk

The EU’s Digital Operational Resilience Act (Regulation 2022/2554) has applied since 17 January 2025. Its ICT third-party risk pillar obliges financial entities to write mandatory resilience provisions into contracts with ICT service providers — continuity, testing, incident cooperation, exit plans — and to maintain a register of information covering every such arrangement.

If EU financial entities run on your software or services, those provisions are flowing into your MSAs whether or not anyone says “DORA” aloud. An ISO 22301-grade BCMS produces the response and recovery plans, testing evidence, and governance records the clauses reference — built once, cited in every contract.

What lands on your desk

  • ICT business continuity policy with response and recovery plans for the contracted services
  • Resilience-testing evidence proportionate to the criticality of the service
  • Cooperation commitments for incident handling and the entity’s register of information
  • Documented exit and transition support the continuity plans make credible

ISO 22301 overview

Primary sources: the CBUAE Rulebook business-continuity requirements, the SAMA Business Continuity Management Framework, APRA Prudential Standard CPS 230, and Regulation (EU) 2022/2554 (DORA). Bank-specific vendor deadlines vary by institution and contract — confirm yours during scoping.

The Evidence Pack

What to Hand a Bank’s Vendor-Risk Team

Assessments are won on turnaround as much as substance. We assemble this pack as a controlled, versioned set — internals redacted, externals release-ready — so the answer to a continuity questionnaire is an attachment, not a six-week project.

BCMS scope statement and business continuity policy
Latest BIA summary with management sign-off and a review date that postdates your last organisational change
Recovery-target register — RTO, RPO, and MTPD per prioritised activity the customer depends on
Business continuity and IT disaster-recovery plans, sanitised for external release
Your two most recent exercise reports, with corrective actions and their closure status
Continuity arrangements for your own critical suppliers and subcontractors
Internal audit report and management review summary — proof the system is governed, not shelved
Accredited ISO 22301 certificate, or a dated audit-readiness statement while certification is in progress
Incident-notification procedure aligned to the timelines in the customer’s contract

One pack, four audiences: the same set answers a CBUAE-driven bank assessment, a SAMA-derived due diligence questionnaire, a CPS 230 provider review, and a DORA contract negotiation — because every item traces to the ISO 22301 elements in the mapping table above.

“Vendors lose approved-supplier status over turnaround, not substance — the questionnaire sat six weeks while someone hunted for an exercise report. We build the pack before anyone asks, so the continuity section of any assessment is answered the day it arrives.”
Surendra Pal SinghCISO & DPO, TCSA — CISA, ISO 27001 / 27701 / 42001 Lead Auditor

See verified client reviews and audit outcomes from 500+ engagements across India, USA, UK, Australia and UAE.

ISO 22301 Regulator Mapping — Frequently Asked Questions

CBUAE, SAMA, CPS 230, and DORA answers from the consultants who prepared Middle East banks for ISO 22301.

Can one ISO 22301 BCMS satisfy CBUAE, SAMA, CPS 230, and DORA at once?

For what each regime asks of a vendor — yes, in substance. All four converge on the same artefacts: a business impact analysis, recovery objectives, documented and tested continuity plans, supplier-continuity arrangements, and governance records. Build those once to ISO 22301:2019 and map them outward to each regulator’s vocabulary, as the table on this page does. What stays contract-specific is detail like notification timelines, audit rights, and exit-plan commitments, which fold into the same BCMS. One scope note: the regimes legally bind your regulated customers, not you — TCSA builds the vendor-side evidence; interpretation of a regime’s obligations stays with each customer’s advisers.

Does CBUAE require vendors to hold ISO 22301 certification?

The CBUAE rules bind the banks, requiring them to ensure critical vendors maintain robust continuity arrangements — and UAE banks have operationalised that duty by writing ISO 22301 requirements into supplier contracts, with the first deadline wave landing in December 2025. Whether your specific contract demands accredited certification or “alignment plus evidence” varies by bank and by how critical your service is; the demand has been tightening toward certification. We confirm the exact contractual wording during scoping and build to it — with the BCMS structured so you can step up to accredited certification without rework if the bank later insists.

Is ISO 22301 certification mandatory under SAMA?

SAMA’s Business Continuity Management Framework is mandatory for member organisations — banks, finance companies, insurers, and payment providers — and it is built directly on ISO 22301 rather than formally requiring the certificate. For suppliers, the obligation arrives through due diligence: SAMA-regulated customers ask vendors to evidence an equivalent, tested BCMS, because the framework’s scope extends to subcontractors and third parties. An accredited ISO 22301 certificate is the most efficient single answer to that questionnaire, and an audit-ready aligned BCMS is usually the acceptable minimum.

What does APRA CPS 230 mean for suppliers to Australian financial institutions?

CPS 230 has been in force since 1 July 2025 and makes APRA-regulated entities accountable for the operational resilience of their material service providers. Practically, that reaches suppliers through contracts: pre-existing arrangements must comply by the earlier of their next renewal or 1 July 2026, so continuity clauses, tolerance commitments, and exercise-participation obligations are entering supplier paperwork now. A supplier with an ISO 22301 BCMS — recovery targets, tested plans, exercise evidence — can accept those clauses knowing it can honour them, and answer the entity’s provider-assessment questionnaire from artefacts that already exist.

What does EU DORA require of ICT providers to financial entities?

DORA (Regulation 2022/2554, applying since 17 January 2025) obliges EU financial entities to include mandatory resilience provisions in contracts with ICT third-party service providers — continuity and recovery commitments, testing cooperation, incident-handling support, and exit plans — and to record every arrangement in a register of information. Critical ICT providers face an additional EU-level oversight regime. For most vendors the practical work is contract-readiness: an ICT business continuity policy, response and recovery plans, and testing evidence an ISO 22301-grade BCMS produces as standard outputs.

How is a multi-regulator BCMS engagement priced?

The same way as every TCSA engagement: custom-scoped and confirmed as a fixed, all-inclusive quote after a short scoping call — no hourly billing, no scope creep. Scope reflects headcount, sites, the products in scope, which regulator-driven contracts you face and their deadlines, and whether accredited ISO 22301 certification is included. Mapping the finished BCMS to CBUAE, SAMA, CPS 230, and DORA vocabularies is part of the engagement rather than a separate programme, because the artefacts are built once. If you proceed to certification, the accredited certification body’s audit fee is quoted separately by that body.

Keep Exploring

Related Reading

ISO 22301

ISO 22301 Knowledge Hub

Every guide in the business-continuity cluster, in one place.

Read more
Gulf

SAMA CSF & BCM

The Saudi Central Bank's cyber and continuity frameworks, demystified.

Read more
Service

Operational Resilience Consulting

One ISO 22301-grade BCMS that answers CBUAE, SAMA, CPS 230 and DORA.

Read more
Locations

Middle East — UAE & Saudi Arabia

How we serve Gulf banks, vendors and enterprises, remote + on-site.

Read more
Locations

Australia

SOC 2, ISO 27001 and ISO 22301 for Australian companies — AEST-friendly.

Read more
ISO 22301

Business Impact Analysis

RTO, RPO and MTPD — the analysis every continuity decision flows from.

Read more

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations